

1

# A better practice for Body Biasing Injection

**Geoffrey CHANCEL** 

Jean-Marc GALLIERE

Philippe MAURINE

## CONTEXT & STATE OF THE ART



- Fault injection techniques: EMFI, LFI, BBI
- State of the art:
  - P. Maurine et al., "Yet Another Fault Injection Technique: by Forward Body Biasing Injection", 2012
  - K. Tobich et al., "Voltage Spikes on the Substrate to Obtain Timing Faults", 2013
  - N. Beringuier-Boher et al., "Body Biasing Injection Attacks in Practice", 2016
  - O'Flynn Colin, "Low-Cost Body Biasing Injection (BBI) Attacks on WLCSP Devices", 2020
  - G.Chancel et al., "Body Biasing Injection: To Thin or Not to Thin the Substrate?", 2022
  - T. Wadatsumi et al., "Voltage Surges by Backside ESD Impacts on IC Chip in Flip Chip Packaging", 2022
  - G. Chancel et al., "Body Biasing Injection: Impact of substrate types on the induced disturbances" 2022



#### OBJECTIVES

- Introduce enhanced BBI platforms:
  - Better efficiency
  - More reproducible results
- Differential fault attack:
  - Hardware AES
  - Giraud's DFA
- BBI fault model:
  - Charge extortion

#### Test platform

- AVTECH AVRK-4-B voltage pulse generator:
  - Amplitudes: ± 50 V to ± 750 V
  - Pulse widths: 6 ns to 20 ns
- Custom made BBI probes and support:
  - 3D-printed support
  - SMA connector
  - Pogo-pin
- STM32F439 32-bits microcontroller  $\rightarrow$  hardware AES co-processor











# BBI enhanced platforms



#### BBI in the state-of-the-art



- Voltage setpoint not met:
  - Lot of ringing  $\rightarrow$  impedance mismatch
  - Low-quality equipment grounding



#### BBI enhanced platform



- Voltage setpoint closer to expectations
- Less ringing



#### Experimental measurements



Setpoint: -140 V ; 20 ns



# Enhancements in practice

IC fault susceptibility analysis









### Differential fault attack in practice

#### Bit-fault attack on AES-128 $\rightarrow$ Giraud, 2002



### Differential fault attack in practice

GROUND





# From more complex simulation models to fault model



#### Complex IC models: Triple-Well





Logic inverter

Standard-cell segment



#### Effect of enhancements on a Triple-Well IC





CMOS logic gates evaluation









### BBI impact on CMOS logic gates





#### Conclusion

- Enhanced BBI platforms:
  - Generator impedance matching
  - Platform parameters requirements met (PW, voltage...)
  - Better repeatability
  - Giraud's single-bit DFA feasible
  - New step in simulation flow  $\rightarrow$  logic gates disturbances simulations